Banking Statement Phish Carries Nasty PowerShell Payload

A new phishing campaign is going around that uses Word documents and macros to spread information-stealing malware. The lure is the tried-and-true banking statement gambit.

With a simple subject line that says, “Financial Statement,” an official-sounding mail informs the victim-to-be that his or her requested statement is attached—followed by a confidentiality clause that’s intended to add an air of legitimacy.

But, of course, the communique is anything but legit. It carries a malware that is capable of copying contents from the clipboard, as well as logging keystrokes. The data is then posted back to the attackers’ domain.

“On December 11, one of our employees reported a phishing email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document,” said Ronnie Tokazowski, in an alert at the PhishMe site. The malicious payload included PowerShell, VBA and batch code.

The chain of execution is pretty straightforward and domino-like: Once opened, the document’s contents are blurred, and it asks recipients to enable macros in order to view the document. If they do, and the macro becomes enabled, it kicks off by executing a batch script, which then executes visual basic script, which in turn triggers a PowerShell script.

The batch file is responsible for pinging 1.1.2.2 twice, changing the console code to the Cyrillic script, interestingly—and running the second file in visual basic. Next, the VBS file runs a PowerShell script, thus finally downloading the malware. It also performs some basic clean-up activity to avoid detection, like removing the other scripts used to execute the process in the first place.

As always, consumers should beware mails with links and attachments that they haven’t specifically solicited. But as a recent Intel/McAfee study points out, it’s very hard to tell these days what’s real and what’s criminally masterminded.

A quiz displayed 10 real emails collected by analysts at McAfee Labs, a mix of true company correspondence and phishing mails. Industry insiders averaged a two-thirds accuracy rate when it came to identifying the socially engineered mails. Just six percent of quiz-takers got all the questions right, and 17 percent got half or more wrong.

"Even if you're a security professional, it's hard to just look at these emails and say whether they're phishing or not. Every single one looks like a good email," said Gary Davis, vice president of global consumer marketing for McAfee, speaking to CBS News.